dfri/ sysadm/ st

Using System Transparency at DFRI

Building a bootball with Debian in it

Setting up, once

git clone FIXME/system-transparency
cd system-transparency

Now, get the following files from another sysadmin: - run.config, to be put in ./ - your own signing key for signing bootballs, to be put under keys/ - four files to put in stboot/data/

./run.sh
: Install toolchain: r
: Generate example keys and certificates: q

Building a new bootball

operating-system/debian/make_debian.sh
scripts/create_and_sign_bootball.sh
for f in bootballs/*.stboot; do sha256sum $f; done

The resulting ball can be found in the bootballs directory. It can be run in qemu for debugging purposes.

Building the boot loader

Build the so called "mixed firmware", to be included in the coreboot image. You'll need sudo for this.

stboot/mixed-firmware/make_image.sh

gnupg might have trouble fetching torvalds key. If so help it.

In the kernel config, just save and exit.

Building coreboot

If coreboot master is troublesome, here are commits in the coreboot repo known to have worked well before: b27b0fd2ac06e9aa8bafb8f780e5859da5bf6420

cd stboot/coreboot-firmware
git clone https://review.coreboot.org/coreboot && cd coreboot
make crossgcc-i386 CPUS=$(nproc)
cp -vi ../x11ssh-tf.defconfig .config
git submodule update --checkout --init
make -C util/ifdtool
: get original_vendor_bios_dump.bin from $someone (if everything else fails, ask linus for p/st/roms/original-vendor-bios)
util/ifdtool/ifdtool -x original_vendor_bios_dump.bin
mkdir -p 3rdparty/blobs/mainboard/supermicro/x11-lga1151-series
cp -iv flashregion_0_flashdescriptor.bin 3rdparty/blobs/mainboard/supermicro/x11-lga1151-series/descriptor.bin
cp -iv flashregion_2_intel_me.bin 3rdparty/blobs/mainboard/supermicro/x11-lga1151-series/me.bin
make menuconfig
: just save and exit
BUILD_TIMELESS=1 make
build/cbfstool ./build/coreboot.rom add-payload -r COREBOOT -f ../../mixed-firmware/vmlinuz-linuxboot -n fallback/payload -C "console=ttyS0,115200 ro" -I ../../../stboot/initramfs-linuxboot.cpio.gz
: the newly built image is found in build/coreboot.rom
cd ../../..

Writing coreboot image to flash rom

TODO